When viewing the TCP Dump of a SSL VPN connection from a Pulse Connect Secure server through a defined proxy server from Firefox, initially the traffic is being proxied but at some point during the connection the traffic gets redirected to go direct instead of using the proxy. If the default route is configured to use a proxy server for the connection to the VPN, any resource accessed through the VPN should be proxied first. Therefore, any redirection going to direct to the target resource rather than being proxied, will be blocked by the corporate firewall.
Consider the following scenario:
Remote Client --> Proxy server --> Firewall <--------------> PCS
All Web requests should go to the proxy server first.
In this scenario, all Network Connect tunneled traffic defined by the NC ACL is going directly to the resource via the virtual adapater IP address and the proxy is only used during the initial authentication request to the PCS device. The proxy configuration is only applied to connect the VPN session.
In this scenario, it was also observed that other Web requests were going direct, thereby ignoring the proxy configuration, even though all traffic was expected to be proxied.
These observations were made from a TCP dump captured on the Linux client with the above proxy configuration and this behavior was only observed when connecting from Linux clients. Windows clients and Mac OSX clients exhibited the expected behavior where all of the traffic went over the proxy server.
Client side log ncsvc.log shows the following message in the initial VPN setup phase:
session.info Will not use a proxy to connect” to the PCS”:
20100603105202.267167 ncsvc[p8975.t8975] session.info Will not use a proxy to connect to the IVE (session.cpp:217)